OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate

Date:

October 07, 2019

CVE:

CVE-2019-17134

Affects

• Octavia: >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0

Description

Daniel Preussker reported a vulnerability in amphora-agent, running within Octavia Amphora Instances which allows unauthenticated access from the management network. This leads to information disclosure and also allows changes to the configuration of the Amphora via simple HTTP requests because cmd/agent.py gunicorn cert_reqs option is incorrectly set to True instead of ssl.CERT_REQUIRED.

Patches

• https://review.opendev.org/686547 (Ocata)

• https://review.opendev.org/686546 (Pike)

• https://review.opendev.org/686545 (Queens)

• https://review.opendev.org/686544 (Rocky)

• https://review.opendev.org/686543 (Stein)

• https://review.opendev.org/686541 (Train)

Credits

• Daniel Preussker (CVE-2019-17134)

References

• https://storyboard.openstack.org/#!/story/2006660

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17134

Notes

• The stable/ocata and stable/pike branches are under extended maintenance and will receive no new point releases, but patches for them are provided as a courtesy.